CIA Hacking Tools Remotely Control Video Streams and Security Cameras

CIA has apparently stacked up on a mass of spying tools. CouchPotato and Dumbo are two such recently leaked exploits that reveal CIA’s strategies on controlling surveillance.

In March, WikiLeaks began publishing a series of leaks on the U.S. Central Intelligence Agency. Code-named “Vault 7“, the project is focused on sharing exploits created and used by the United States Central Intelligence Agency. It began with the leaking of 8,761 documents discovered within an isolated network in Langley, Virginia.

Vault7 now sheds light on two new exploits aimed at hijacking and manipulating webcams and microphones to corrupt or delete recordings, and real-time spying of video streams.

CouchPotato is a remote tool intended to target RTSP/H.264 video streams coming from networked cameras. It gives CIA hackers ability to “collect either the stream as a video file (AVI) or capture still images (JPG) of frames from the stream that are of significant change from a previously captured frame.”

Unlike Dumbo, it doesn’t seem to require physical access to a PC. The tool uses FFmpeg for video and image encoding and decoding and Real Time Streaming Protocol connectivity. Real Time Streaming Protocol, or RTSP, is a network control protocol designed for use in entertainment and communication systems for controlling streaming media servers.

In order to minimize size of the DLL binary, many of the audio and video codecs along with other unnecessary features have been removed from the version of ffmpeg that CouchPotato is built with. pHash, an image hashing algorithm, has been incorporated into ffmpeg’s image2 demuxer to provide image change detection capabilities.

The CouchPotato tool works stealthily without leaving any evidence on the targeted systems because it has been designed to support ICE v3 “Fire and Collect” loader. It is an in-memory code execution (ICE) technique that runs malicious code without the module code being written to the disk.

The documents posted to WikiLeaks deal with the first version of the application, but it isn’t clear whether or not other versions exist. If there have been improved versions, they would probably deal with reducing the excess CPU usage time, which increases chances of detection.

However, neither Wikileaks nor the leaked user guide details how the agency penetrates into the targeted systems at the first place, but it is possible that they have been using CouchPotato in combination with other tools.

The Dumbo CIA project involves a USB thumb drive equipped with a Windows hacking tool that can identify installed connectivity or surveillance devices. The tool disables security cameras and corrupts recordings made on computers using Windows XP and newer versions of the Microsoft operating system.

It is said to be used by the CIA’s Physical Access Group (PAG)—a special branch within the Center for Cyber Intelligence (CCI) which is tasked to gain and exploit physical access to target computers in CIA field operations.

It identifies installed devices like webcams and microphones, either locally or connected by wireless (Bluetooth, WiFi) or wired networks. Once identified, the Dumbo program allows the CIA agents to:

Mute all microphones

Disables all network adapters

Suspends any processes using a camera recording device

Selectively corrupted or delete recording

By deleting or manipulating recordings the operator is aided in creating fake or destroying actual evidence of the intrusion operation.

However, for a successful operation, it requires SYSTEM level privilege to run. For the log to be maintained, the thumb drive Dumbo is executed from must remain plugged into the system throughout the duration of the operation.

Previous Vault7 Leaks

“Vault 7” is a substantial collection of material about CIA activities obtained by WikiLeaks since March 2017. These leaked tools include:

Android Developer | Electronics Undergrad
Pratyusha loves new gadgets and tinkering around with them. An avid coder, she likes playing around with Android and ML. She is currently a third year undergraduate student in Jadavpur University.